You are here

Keeping Employee Medical Records Safe

January 11, 2019

By:

Kathleen Benavidez

share this

Cybersecurity experts warn that healthcare data has become a growing target for hackers in recent years. Electronic health records, in particular, command a high price in the black market—even more than financial data.

To make matters worse, there are many ways health records can be compromised, apart from the deliberate threats posed by malicious elements. Even a lost laptop can expose this sensitive information and cause harm should they fall into the wrong hands.

Under our Data Privacy Act, health records qualify as sensitive personal information to which more stringent rules for processing apply. This is also true for the European Union’s General Data Protection Regulation which classifies it as a special category of personal data. One of the earlier laws to offer safeguards to health information was the French data protection law, Loi Informatique et Libertes 1978, which prohibited its processing by default, save for couple of exceptions. Meanwhile, in the U.S., there is a law that applies specifically to health information: the Health Insurance Portability & Accountability Act of 1996 (HIPAA).

Employee records are one major source of health data. Employers, after all, have a legitimate interest in the fitness of their employees. Through their respective human resources units, they make sure if their personnel are fit to work, or have any sickness or disability that renders them incapable of performing their assigned tasks. This is why applicants are asked to undergo a medical examination during the hiring process, and why there are also annual physical examinations. On the side, healthcare companies that provide services to employers also get to collect and access health information, which they use to determine the extent of an employee’s insurance coverage.

These being said, having a legitimate interest in an employee’s health does not translate to unmitigated access to his or her medical records. Neither does it authorize the disclosure of his or her medical condition to an entire organization. The exposure of one’s health status could make one the subject of discrimination, extreme prejudice, and, in some cases, even identity fraud.

To protect employees’ health records, here are a couple of ways to consider:

Data minimization. Data must only be collected as needed, such as when processing healthcare information is required by law. There are times, though, that employer access may be too much. For instance, must an employer have full access to an applicant’s pre-employment medical examination? Would a medical report indicating that he or she is fit to work suffice? If health insurance coverage is a concern, the health maintenance organization (HMO) engaged by a company could access and process the data directly, without having to give it to the employer. The same is true when an employee becomes sick or is hospitalized. In many cases, a medical certificate indicating that an employee may already return to work is enough. There may be no need to know the details of the hospitalization. The employee concerned can also just relay any other instructions that may have been given by his or her attending physician.

Access Restriction. Restrict access to employees’ medical records. Within an organization, the office often tasked to collect healthcare information is the human resources department. As a primary layer of protection, it should only allow a limited number of personnel to access to such records. Only those whose jobs require or depend on such access should be allowed to do so. If these records will be shared with other offices, the accessing party must have a legitimate interest in said files. There must be strict guidelines governing such sharing arrangements.

Physical and Technical security measures. There must be a secure storage space for employee medical records, such as a filing cabinet with a lock. These documents must not be readily visible to anyone, even to others who belong to the same office. They should not be left lying around in tables, prone to visual hacking. Similarly, there should also be limited access to electronic copies of such files. Encryption methods may be used as an additional line of defense.

In the long run, a regulation that prescribes the proper handling of health records still offers the most effective type of data protection. Here in the Philippines, a Health Privacy Code was already in the works by the time the National Privacy Commission was established. With proper review and the subsequent approval by the Commission, a policy like that could potentially address all the issues raised here as well those by others who currently processing the health information of employees.

Downloads

Contact Form
[doc] [pdf]Use this form to submit or file inquiries, concerns, complaints, or to report a security incident or data breach.

Incident Report Form
[doc] [pdf]For University Personnel, use this form to report a security incident or data breach.